oss-sec mailing list archives

Re: CVE request: SQL injection and shell escaping issues in Cacti < 0.8.8b

From: Giuseppe Iuculano <iuculano () debian org>
Date: Tue, 13 Aug 2013 13:42:32 +0200

I confirm this.

Giuseppe.


On 07/08/2013 19:33, Salvatore Bonaccorso wrote:

Could you wait a bit with assigning there CVEs? Giuseppe Iuculano from

the Debian Security Team should have already assigned two CVEs to them
(I'm putting him in the loop), but apparently upstream has not
referenced them in the changelog. AFAICS the CVE assigned where:

CVE-2013-1434 -> cacti_snmp_sql_injection_CVE-2013-1434.patch

CVE-2013-1435 -> cacti_snmp_escape_string_CVE-2013-1435.patch and
fix_quoting_in_rrd_command_CVE-2013-1435.patch

I will search the mapping patchname -> svn commits and update you.


Thanks for this, Salvatore.  I'll wait for that mapping before
referencing anything though.

Apologies for the off-list posting, but I wanted to avoid some
confusion! I have found the mapping which should be as follow:

http://svn.cacti.net/viewvc?view=rev&revision=7392 -> cacti_snmp_escape_string_CVE-2013-1435.patch -> CVE-2013-1435
http://svn.cacti.net/viewvc?view=rev&revision=7393 -> fix_quoting_in_rrd_command_CVE-2013-1435.patch -> CVE-2013-1435
http://svn.cacti.net/viewvc?view=rev&revision=7394 -> cacti_snmp_sql_injection_CVE-2013-1434.patch -> CVE-2013-1434

@Guiseppe, can you confirm?

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE request: SQL injection and shell escaping issues in Cacti < 0.8.8b Vincent Danen (Aug 07)
- Re: CVE request: SQL injection and shell escaping issues in Cacti < 0.8.8b Kurt Seifried (Aug 07)
  - Re: CVE request: SQL injection and shell escaping issues in Cacti < 0.8.8b Salvatore Bonaccorso (Aug 07)
- Message not available
  - Message not available
    - Message not available
    - Re: CVE request: SQL injection and shell escaping issues in Cacti < 0.8.8b Giuseppe Iuculano (Aug 13)